Method for providing media communication across firewalls

ABSTRACT

The present invention supports a method for transmitting information packets across network firewalls. A trusted entity is provisioned with an address designation for a pinhole through the firewall during setup of a communication session between two communication devices. This pinhole address is used throughout the communication session between the two communication devices to transmit information packets onto and out of the communication network. Information packets addressed to the communication device inside the firewall are received by the trusted entity, which replaces address header information in the information packet with the address for the pinhole. The information packet is routed to the pinhole where it passes onto the network for routing to the communication device inside the firewall. Information packets transmitted from the network are also routed to the trusted entity for routing toward the communication device outside the firewall.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.13/506,330, filed Apr. 11, 2012, entitled “METHOD FOR PROVIDING MEDIACOMMUNICATION ACROSS FIREWALLS”, which is a continuation of U.S. patentapplication Ser. No. 10/642,256, filed Aug. 15, 2003, now U.S. Pat. No.8,166,533, issued Apr. 24, 2012, entitled “METHOD FOR PROVIDING MEDIACOMMUNICATION ACROSS FIREWALLS”, which claims the benefit of U.S.Provisional Patent Application No. 60/404,198, filed Aug. 17, 2002, theentire contents of each of which are incorporated herein by reference.

FIELD OF THE INVENTION

A method for transmitting information packets with multimediacommunication across firewalls.

BACKGROUND OF THE INVENTION

The Internet, like so many other high tech developments, grew fromresearch originally performed by the United States Department ofDefense. In the 1960s, the military had accumulated a large collectionof incompatible computer networks. Computers on these different networkscould not communicate with other computers across their networkboundaries.

In the 1960s, the Defense Department wanted to develop a communicationsystem that would permit communication between these different computernetworks. Recognizing that a single, centralized communication systemwould be vulnerable to attacks or sabotage, the Defense Departmentrequired that the communication system be decentralized with no criticalservices concentrated in vulnerable failure points. In order to achievethis goal, the Defense Department established a decentralized standardcommunication protocol for communication between their computernetworks.

A few years later, the National Science Foundation (NSF) wanted tofacilitate communication between incompatible network computers atvarious research institutions across the country. The NSF adopted theDefense Department's protocol for communication, and this combination ofresearch computer networks would eventually evolve into the Internet.

Internet Protocol and Packet-Based Communication

The Defense Department's communication protocol governing datatransmission between different networks was called the Internet Protocol(IP) standard. The IP standard uses discrete information packets,sometimes called datagrams, to communicate between different computersand other devices and networks over the Internet. The IP standard hasbeen widely adopted for the transmission of discrete information packetsacross network boundaries. In fact, most telecommunication networksoperate using information packets to transmit data to linkedcommunication devices. The IP standard or similar packet-basedcommunication protocols govern communications on these networks as wellas the Internet, and businesses are increasingly adopting Internetcompatible packet-based communication for private communicationnetworks.

Packet-based communication protocols depend on destination and sourceaddress data found in an address header for routing over a communicationnetwork. Each information packet's path through the network iscontrolled by switching or routing decisions based on the address datafound in the packet's address header. In a typical informationpacket-based communication scenario, data is transmitted from anoriginating communication device on a first network across atransmission medium to a destination communication device on a secondnetwork. During transmission, transit routers on the network process theinformation packet address header to route the individual informationpackets. After receipt at the destination device, the destinationcommunication device decodes the transmitted information into theoriginal information transmitted by the originating device according tothe applicable communication protocol.

Addressing and Routing

A communication device operating on an information packet-based networkis assigned a unique physical address. For IP-based networks, thisaddress is referred to as an IP address. The IP address can include: (1)a network ID and number identifying a network, (2) a sub-network IDnumber identifying a substructure on the network, and (3) a host IDnumber identifying a particular computer on the sub-network. A headerdata field in the information packet will include source and destinationaddresses. The IP addressing scheme imposes a consistent addressingscheme that reflects the internal organization of the network orsub-network. Other addressing protocols use address headers and similaraddressing mechanisms to route information packets.

A router is used to regulate the transmission of information packetsinto and out of the communication network. Routers interpret the logicaladdress contained in information packet headers and direct theinformation packets to the intended destination. Information packetsaddressed between communication devices on the same network do not passthrough a router on the boundary of the network, and as such, theseinformation packets will not clutter the transmission lines outside thenetwork. If data is addressed to a communication device outside thenetwork, the router on the network boundary forwards the data onto thegreater network.

Network communication protocols define how routers determine thetransmission path through a network and across network boundaries.Routing decisions are based upon information in the address header andcorresponding entries in a routing table maintained on the router. Arouting table contains the information for a router to determine whetherto accept an information packet on behalf of a device or pass theinformation packet onto another router. At each point in the routingpath, the receiving or destination router processes the packet tocompare the address header information to the routing table maintainedon the router for the next router destination. The router then forwardsthe information packet to the appropriate router determined by thetopological data in the routing table.

Firewalls

Private networks using Internet communication resources require secureconnections for these communications. Without secure connections,computer hackers or other malicious attackers can access the network andcompromise the system. Unprotected systems and networks can sufferremote login, session hijacking, denial of service attacks, e-mailbombs, redirect bombs, spam, viruses, macros, and source routing.

Firewalls are barrier devices placed at the entrance of a communicationnetwork to block unauthorized communication. A firewall may be either aprogram or hardware device, and firewalls basically fall into fourcategories: packet filters, Application Level Gateways (ALG) (alsocalled proxies), circuit relays, and stateful multilayer inspectionfirewalls. Packet filters compare the information packet to a set ofcriteria before allowing the information packet to be forwarded onto thenetwork. ALGs examine information packets at the application layer toblock unauthorized applications or protocol information packets. Circuitrelays monitor handshaking at the Transport Control Protocol (TCP) leveland block unauthorized requested sessions. Stateful multilayerinspection firewalls combine elements of the other three types offirewalls by filtering information packets at the network layer,determining whether session information packets are legitimate, andevaluating information packets at the application layer.

Communication Across Firewalls

Firewalls block unauthorized entities outside the firewall from sendinginformation packets onto the secured network. Network entities insidethe firewall can transmit information outside the secured network bycreating “pinholes” through the firewall. A “pinhole” is a communicationport, also referred to as an IP port, that the network entity designatesfor sending information packets out of the network and also receivinginformation packets (e.g. responses) into the network during acommunication session. A timer on the firewall starts when the pinholeis created and closes once a specified time duration elapses without anyinformation packets going through the pinhole.

Voice-over-IP (VoIP) telecommunication is the combination of voice,data, video wireless, and multimedia applications into an integratedcommunication infrastructure based on circuit-switched and TCP/IPtechnologies and protocols. VoIP represents the next generation ofnetworking technology capable of handling all types of packet-basedcommunications and services. VoIP delivers more services that previouslyavailable with separate voice and data networks in conjunction withimproved telephone services. VoIP takes advantage of the high voicequality found in voice networks, the ubiquitous nature of TCP/IPprotocols, and the efficient use of bandwidth by having voice and datashare the same connection. Having only one network with devices tomanage offers significant savings, and the existing infrastructure canbe utilized rather than requiring replacement. Moreover, VoIPtelecommunication networks offer new applications, such as integratedcontact centers and unified messages.

A telecommunication service provider with its switching equipmentlocated outside of a firewall may attempt to make VoIP services (e.g.centrix services) or other multimedia communications available tosubscribers inside the firewall. But, in order to do so, the serviceprovider must first find a way to penetrate the firewall. Necessarysignaling and media messages (e.g. information packets) have to traversethe firewall to reach the end-user's equipment and setup the requisiteIP addresses for routing through a designated pinhole.

For example, to setup the call, the first setup message must be sent tothe called party from the switching equipment (e.g. a soft-switch)residing outside the firewall. Since the setup message is the firstinformation packet that switch sends to the called party terminal, it isusually blocked by the firewall unless the firewall knows not to blockthe setup message. Similarly, the first media (e.g. Real Time TransportProtocol message) information packet from the calling party to thecalled party will be blocked unless the firewall knows not to do so.

Since signaling messages usually are sent to well-known destinationcommunication ports, it is relatively easy to configure a firewall notto block signaling messages sent to these well-known ports. However,this non-blocking function requires a particular firewall to possessnetwork security intelligence to ensure that port is not a security holein the firewall. Not all networks have such an intelligent firewall,and, in some applications, the switch sends setup messages directly touser terminals.

Transmitting media information packets across the firewall also presentsdifficulty. The dominant protocol for carrying media information packetsis Real-Time Transport Protocol (RTP). RTP information packets use alarge range of IP ports for different media connections, so it is notpossible to specially configure certain IP ports as can be done forsignaling messages. Current methods for providing VoIP across firewallsare based on exchanging messages between firewall equipment and VoIPequipment with the vendors of these types of equipment working togetherto create and designate pinholes in the firewall. Because mostcorporations already have IP networks with firewall equipment deployed,it is impractical for a service provider to deploy communicationequipment to communicate with all desired communication equipment. Thecosts for this approach would be prohibitively high. A generic andcost-effective solution for providing multi-media communication,including VoIP, across firewalls without requiring modifications tofirewall equipment or an expensive array of communication equipment isneeded.

SUMMARY OF THE INVENTION

A trusted entity (a Media Proxy Router, soft switch, or combination ofthe two) residing outside the firewall of a private network usessignaling messages to create a pinhole through the firewall to transmitmedia information packets. An established signaling pinhole (e.g. port)across the firewall is used to transmit the signaling messages acrossthe firewall and create a pinhole through the firewall for transmittingmedia information packets.

A routing table on the trusted entity maintains an association of theaddress for the location of the pinhole for media communication throughthe firewall. Information packets containing media communication (e.g.RTP packets) are routed between a first communication device and asecond communication device using address header replacement with theaddress of the firewall pinhole at the trusted entity. The mediainformation packets of a communication session then transit the firewallusing this established pinhole.

BRIEF DESCRIPTION OF THE DRAWINGS

The objects and features of the invention will become more readilyunderstood from the following detailed description and appended claimswhen read in conjunction with the accompanying drawings in which likenumerals represent like elements and in which:

FIG. 1 is a schematic diagram of the basic concept of the invention forcommunication between an entity A inside a corporate firewall and anentity B outside the firewall;

FIG. 2 is a schematic diagram for a communication session using theinvention with an application server deployed inside the corporatefirewalls of two private corporate networks;

FIG. 3 is a schematic diagram for a communication session using theinvention without an application server deployed inside the corporatefirewalls of two private corporate networks;

FIG. 4 is a schematic diagram showing signaling address translation bythe Media

Proxy Router for routing signaling message information packets;

FIG. 5 is a schematic diagram showing media information packet addresstranslation by the Media Proxy Router for routing media informationpackets;

FIG. 6 shows the registration message flow for registering with anApplication Proxy Server (APS) deployed inside the firewall;

FIG. 7 shows the invention operation with an APS deployed inside thefirewall;

FIG. 8 shows the invention operation without an APS deployed inside thefirewall;

FIG. 9 shows the message flow for the invention with an APS deployed forthe MGCP protocol;

FIG. 10 shows the message flow for the invention without an APS deployedfor the MGCP protocol;

FIG. 11 shows the message flow for the invention with an APS deployedfor the SIP protocol;

FIG. 12 shows the message flow for the invention without an APS deployedfor the SIP protocol;

FIG. 13 shows the message flow for the invention with an APS deployedfor the H.248 protocol;

FIG. 14 shows the message flow for the invention without an APS deployedfor the H.248 protocol;

FIG. 15 shows the message flow for the invention with an APS deployedfor the H.323 and H.245 protocol; and

FIG. 16 shows the message flow for the invention without an APS deployedfor the H.323 and H.245 protocol.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 shows the basic underlying concept of the invention fortransmitting information packets containing multimedia communicationacross a firewall. An IP Network Entity A 10 is connected to a corporatenetwork 15 by communication link 11. Communication link 11 supportstwo-way IP information packet transmission between the IP Network EntityA 10 and the corporate network 15. The corporate network 15 is protectedby a firewall 20. The firewall 20 blocks information packettransmissions from outside the corporate network 15 from entering thecorporate network 15.

Transmission of information packets across the firewall 20 uses apinhole 25. The pinhole 25 is a communication port on the firewall 20(e.g. typically the firewall resides on a gateway or other computerserver acting as a gateway node). The pinhole is created by the firstmessage that IP Network Entity A 10 sends to IP Network Entity 35. An IPNetwork Entity B 35 residing outside the corporate network 15communicates across communication link 31 using the Internet 30. IPpackets are transmitted outside the corporate network 15 to the IPNetwork Entity A 10 using communication link 50 to the Internet 30across pinhole 25. IP packets are transmitted into the corporate network15 to the IP Network Entity A 10 using communication link 55 to theInternet 30 across pinhole 25. An IP address corresponding to thepinhole's topological location is used to route information packetsacross the firewall 20.

FIG. 2 shows a network architecture for communication between twocorporate networks that implements the invention using a trusted entityoutside the firewall with an application server deployed within thefirewall. The application server can be a SIP proxy server, anIntegrated Access Device (IAD), or an Application Proxy Server (APS),which is a special type of Media Proxy Router. Communication device 1103 is connected to the corporate network 1 110 by communication link104. Communication device 2 105 is connected to the corporate network 1110 by communication link 107. The corporate network 1 110 is connectedto an application proxy server 1 (APS 1) 115 by communication link 113,and the APS 1 115 is connected to the firewall 1 120 by communicationlink 108. The APS 1 115 is a special type media proxy server that actsas a proxy for all end-terminals, including communication device 1 103and communication device 2 105, and has the capability for creatingpinholes for media information packets and signaling messages to transitthe firewall 1 120.

The firewall 1 120 is connected to the Internet 125 by communicationlink 121. A soft-switch (SSW) 130 is connected to the Internet 125 bycommunication link 122 and communicates with the corporate network 110over the Internet 125 and communication link 121. The SSW 130 is asoftware application interface (API) used to bridge a public switchedtelephone network (PSTN) and VoIP. The SSW 130 separates the callcontrol functions of a phone call from the media information data.

The Media Proxy Router 135 is also connected to the Internet 125 bycommunication link 126 and communicates with the corporate network 110over the Internet 125 and communication link 121. The Media Proxy Router135 is a network entity (e.g. server, workstation, or gateway-typehardware) that performs IP address translation on signaling/mediainformation packets (e.g. MGCP/RTP packets). The Media Proxy Router 135and the SSW 130 can share the same physical “box” and communicatedirectly with each other and not over the Internet 125.

The Internet 125 is also linked to a second corporate network. TheInternet 125 is connected to firewall 2 140 by communication link 127,and the SSW 130 and Media Proxy Router 135 can communicate with thesecond corporate network using the Internet 125 and communication link127. The firewall 2 140 is connected to APS 2 145 by communication link144. The APS 2 145 is connected to the corporate network 2 150 bycommunication link 146. Communication device 3 153 is connected to thecorporate network 2 150 by communication link 154, and communicationdevice 4 is connected to the corporate network 2 150 by communicationlink 157.

FIG. 3 shown an alternate network architecture that lacks an APSdeployed inside the firewall. Without a deployed APS, the end-terminals(e.g. communication devices such as phones) must possess a certaindegree of intelligence to directly communicate with media-over-IPequipment outside the firewall to create pinholes through the firewall.Communication device 1 203 is connected to the corporate network 1 210by communication link 204. Communication device 2 205 is connected tothe corporate network 1 210 by communication link 207, and the corporatenetwork 1 210 is connected to the firewall 1 220 by communication link208.

The firewall 1 220 is connected to the Internet 225 by communicationlink 221. A soft-switch (SSW) 230 is connected to the Internet 225 bycommunication link 222 and communicates with the corporate network 1 210over the Internet 225 and communication link 221. The SSW 230 is asoftware application interface (API) used to bridge a public switchedtelephone network (PSTN) and VoIP. The SSW 230 separates the callcontrol functions of a phone call from the media information data.

The Media Proxy Router 235 is also connected to the Internet 225 bycommunication link 226 and communicates with the corporate network 1 210over the Internet 225 and communication link 221. The Media Proxy Router235 is a network entity (e.g. server, workstation, or gateway-typehardware) that performs IP address translation on signaling/mediainformation packets (e.g. MGCP/RTP packets). The Media Proxy Router 235and the SSW 230 can share the same physical “box” and communicatedirectly with each other and not over the Internet 225.

The Internet 225 is also linked to a second corporate network. TheInternet 225 is connected to firewall 2 240 by communication link 227,and the SSW 230 and Media Proxy Router 235 can communicate with thesecond corporate network using the Internet 225 and communication link227. The firewall 2 240 is connected to the corporate network 2 250 bycommunication link 244. Communication device 3 253 is connected to thecorporate network 2 250 by communication link 254, and communicationdevice 4 is connected to the corporate network 2 250 by communicationlink 257.

FIG. 4 shows the operation of the Media Proxy Router in the inventionfor handling signaling information packets. The Media Proxy Router 301performs IP address translation on signaling and media informationpackets. For signaling messages, the process 305 includes receivingsignaling packets forwarded from the soft-switch. The IP address headerin these signaling messages are translated in process 310 by the MediaProxy Router 301 by looking up the destination corporate network andreplacing the IP address header maintained in a routing tablecorresponding to a pinhole 320 on the firewall 329. In process 310, thesignaling messages are routed to the appropriate pinhole 320 in thefirewall 325. The pinhole routing table 330 in the Media Proxy Router301 includes an entry 331 for the IP identifier (e.g. IP address fornetwork ABC) of the destination network, an entry 332 for the protocolof the signaling message (e.g. MGCP), and an entry 333 for thecorresponding firewall pinhole IP address compatible with that signalingprotocol on that network.

FIG. 5 shows the operation of the Media Proxy Router in the inventionfor handling media information packets (e.g. RTP packets). For mediamessages, the process 405 includes receiving media information packetsforwarded from the soft-switch. The IP address header in these mediamessages are translated in process 410 by the Media Proxy Router 401,which has a designated IP address of 192.10.2.10:12345. The Media ProxyRouter 401 looks up and replaces the destination IP address, whichcorresponds to the IP address of the Media Proxy Router 401, with IPaddress 128.86.32.11:23456, which is the corresponding IP address ofpinhole 430 in the firewall 440. The Media Proxy Router 401 also insertsthe destination address of the communication device on the network,which is 225.87.40.2:34567, into the IP header address information datafields of the media information packet. The Media Proxy Router 401transmits the media information packet (e.g. the RTP packet) to the IPaddress of the pinhole 430 through the firewall 440 in process 415. Inprocess 420, the RTP packet is routed to the destination correspondingto the destination address inserted into the RTP packet by the MediaProxy Router 401. The routing table 450 stored in the Media Proxy Router401 includes the received IP address 441, the through IP address 442 forthe firewall pinhole 430, and the ultimate destination IP address 443 ofthe RTP packet.

FIG. 6 shows the basic signaling message flow for the invention used toprovision the routing table entries in the Media Proxy Router. In orderfor End-Terminals inside the firewall to receive signaling messagestowards them, the APS inside the firewall (see FIG. 2) or thecommunication device if there is no APS (see FIG. 3), at initiation timesend a Registration Request message to the Media Proxy Router outsidethe firewall at step 505. This Registration Request message containsinformation on the application server, the subscribers (e.g. thecommunication devices), and the terminal inside the firewall.

The Registration Request message creates a pinhole on the firewall. TheMedia Proxy Router obtains the pinhole information from the originationIP address and port of the Registration Request message. The Media ProxyRouter records the pinhole information in the routing table maintainedon the router and will forward all the signaling messages addressed tosubscribers inside the firewall to that pinhole.

After receiving the Registration Request message from the applicationserver, in step 510 the Media Proxy Router sends a Registration Responsemessage back the application server confirming the success/failure ofthe registration. If the registration fails, it sets a failure alarm andresends the Registration Request message to the Media Proxy Router. Ifthe registration is successful, the APS starts a timer that resets tozero if a message goes through the pinhole. In step 515, signalingmessages are transmitted between the APS or communication device and the

Media Proxy Router.

At step 520, the last signaling message is transmitted, and the timerbegins a countdown at step 525. If no message passes through the pinholefor a configured time period, the timer times out in step 530. In step535, the APS sends a new Registration Request to the Media Proxy Router.This new Registration Request message prevents the firewall from closingthe pinhole after a specified inactive time duration. Thus, theconfigured time period for resending Registration Request must beshorter than the inactive time duration specified for closing pinholeson the firewall. In step 540, the trusted Media Proxy Router sends aRegistration Response message back the APS or communication deviceconfirming the success/failure of the registration. If successful, thepinhole remains open for additional signaling message transmissions.

FIG. 7 shows the message flow of media information packets penetrating afirewall with an APS deployed inside the firewall. In step 610, asignaling message for creating a media connection is sent through thefirewall 602 pinhole 605 for communicating signaling messages (e.g. thesignaling pinhole) to the APS 603. This signaling message is dependenton the protocol being used (e.g. an INVITE in Session InitiationProtocol (SIP), Create Connection (CRCX) in Media Gateway ControlProtocol (MGCP), etc.). In step 620, the APS 603 forwards the signalingmessage for creating a media connection to the appropriate End-Terminal604 at port A 606 used for signaling message processing. In step 630,the End-Terminal 604 creates a media connection by transmitting aconnection information message (e.g. 200 OK in SIP, Create ConnectionAcknowledge (CRCX ACK) in MGCP, etc.) designating a listening IPaddress/port

A 606 to the Media Proxy Router 601 through the APS 603. The APS 603processes the connection information message before transmission to theMedia Proxy Router 601.

In step 640, the APS 603 first sends an IP packet designated as a CreateMedia Pinhole (CMPH) message from port B 608 to the Media Proxy Routerto create a pinhole for media information packets to transit thefirewall. This CMPH message contains the address corresponding to thepinhole used to transit the firewall—port C 609. The APS 603 alsocreates a mapping entry (port B 608 port A 607) in its routing table forrouting media information packets to the End-Terminal 604. Uponreceiving the CMPH message, in step 650 the Media Proxy Router 601 sendsa CMPH Response message back to APS 603 through port C 609. The CMPHResponse message contains the pinhole information (e.g. IP address/portC 609) that is the origination IP address and port seen in the receivedCMPH by the Media Proxy Router 601.

Upon receiving the CMPH Response, the APS 603 replaces the IP addressand port for listening for media information packets (e.g. port B 608)in the connection information message with the IP address and port (e.g.port C 609) of the pinhole found in the CMPH Response. The APS 603 thensends the connection information message with the newly designatedpinhole address and port as its media information packet listeningaddress and port (e.g. port C 609) to the Media Proxy Router 601 in step660. In step 670, after receiving the new connection informationmessage, the Media Proxy Router opens port D 611 for listening for mediainformation packets (e.g. RTP packets) from the other party, and createsa mapping entry (port D 611 port C 609) in its routing table. The MediaProxy Router then sends the connection information message, with IPaddress/port designated as D 611 to the appropriate entity (e.g. theother party or the soft-switch).

When the Media Proxy Router 601 receives media information packets (e.g.RTP packets) from the other party at its designated IP address/port D611, it forwards the media information packets to IP address/port C 609on the firewall according to its routing table (port D 611→port C 609).Those media information packets are forwarded to IP address/port B 608by the firewall since the pinhole (port C 609) is created from IPaddress/port B 608. Upon receiving those media information packets, theAPS 603 forwards them to IP address/port A 607 on the End-Terminalaccording to its routing table (port B 608 port A 607). Using thismethod, media information packets from the other party are able to crossthe firewall and reach the targeted End-Terminal 604.

FIG. 8 shows the message flow of media information packets penetrating afirewall without an APS deployed inside the firewall. In step 710, asignaling message for creating a pinhole is sent through the firewall702 pinhole 705 for signaling messages to the End-Terminal 704 port 706for signaling messages. The End-Terminal 704 reacts by sending an IPpacket, a CMPH message, from port A 707, which will be used to listen tomedia information packets to the Media Proxy Router 701, to create apinhole for media information packets to transmit the firewall 702 instep 720. This CMPH message contains the address corresponding to thepinhole used to transit the firewall—port B 708. Upon receiving the CMPHmessage, in step 730 the Media Proxy Router 701 sends a CMPH Responseback to the End-Terminal 704 through the pinhole 708 in firewall 702.The CMPH Response contains the pinhole information (IP address/port B708) that is the origination IP address and port seen in the receivedCMPH by the Media Proxy Router 701.

In step 730, upon receiving the CMPH Response message, the End-Terminal704 constructs a connection information message with the designatedlistening IP address/port B 708 of the pinhole (found in the CMPHResponse), and then sends the connection information message to theMedia Proxy Router 701 in step 740. When receiving the new connectioninformation message sent in step 740, the Media Proxy Router 701 opensport C 711 for listening for media information packets (e.g. RTPpackets) from the other party, and creates a mapping entry (port C711→port B 708) in its routing table. The Media Proxy Router 701 thensends the connection information message with IP address/port for thenewly-opened port C 711 to the appropriate entity (e.g. the other party,or the soft-switch) in step 750.

When the Media Proxy Router 701 receives media information packets(e.g., RTP packets) from the other party at its designated IPaddress/port C 711, it forwards the media information packets to IPaddress/port B 708 on the firewall according to its routing table (portC 711 port B 708). Those media information packets will be forwarded toIP address/port A 707 by the firewall since the pinhole (port B 708) iscreated from IP address/port A 707, which is the listening port of theEnd-Terminal 704. Using this method, the media information packets fromthe other party are able to cross the firewall 702 and reach thetargeted End-Terminal 704.

In both cases (APS deployed or not), the first signaling message forcreating a media connection may not exist. For example, if theEnd-Terminal initiates a media connection (e.g. sending a first INVITEmessage if using SIP), then a media connection setup message is notrequired. Also in both cases (APS deployed or not), the CMPH Responsemessage may not be necessary. If not using CMPH response message, theAPS or the End-Terminal (in case of APS not deployed) will have to firstsend an IP packet and a connection information message with its actuallistening address/port to the Media Proxy Router. This IP packet is forcreating a pinhole for media information packets. Upon receiving bothmessages (CMPH and connection information message), the Media ProxyRouter opens a new port for listening for media information packets(e.g. RTP packets) from the other party, and creates a mapping entry,which maps the newly-opened port to the pinhole address/port in itsrouting table. The Media Proxy Router then sends a new connectioninformation message with the IP address/port for this newly-opened port,to the appropriate entity (e.g. the other party or the soft-switch).

FIG. 9 shows the message flow using the Media Gateway Control Protocol(MGCP) for signaling message flow for penetrating firewalls with an APSdeployed inside the firewalls (e.g. FIG. 2). In step 805, possible setupmessages are exchanged between the End-Terminals, the APSs, and theMedia Proxy Router, such as RQNT, NTFY, etc. In step 810, the messageexchange to setup the pinhole of the invention begins with a CRCXmessage sent from the Media Proxy Router to the APS 1 on a firstnetwork. In step 815, the APS 1 transmits a CRCX message to End-TerminalA on the first network. In step 820, the APS 1 responds with a CRCX ACKmessage to the APS 1. The APS 1 then generates a Create Media Pinhole(CMPH) message and transmits the CMPH to the Media Proxy Router. In step830, the Media Proxy Router transmits a Create Media Pinhole Acknowledge(CMPH ACK) message to the APS 1. In step 835, the APS 1 transmits a CRCXACK message to the Media Proxy Router.

In step 840, the Media Proxy Router transmits a CRCX message to an APS 2on a second network (e.g. FIG. 2). The APS 2 transmits a CRCX message toEnd-Terminal B in step 845. In step 850, End-Terminal B transmits a CRCXACK message to APS 2, and APS 2 transmits a CMPH message to the MediaProxy Router in step 855. In step 860, the Media Proxy Router generatesand transmits a CMPH ACK message to APS 2, and APS 2 responds with aCRCX ACK message back to the Media Proxy Router in step 865. In step870, the Media Proxy Router transmits a Modified Connection (MDCX)message to APS 1. In step 875, APS 1 forwards the MDCX message toEnd-Terminal A. The End-Terminal A responds with a Modified ConnectionAcknowledge (MDCX ACK) message to APS 1 in step 880, and APS 1 forwardsthe MDCX ACK message to the Media Proxy Router in step 885. Thiscompletes creation of firewall pinholes, so that in step 890 RTP mediainformation packets are transmitted between End-Terminal A andEnd-Terminal B.

FIG. 10 shows the MGCP message flow for penetrating firewalls with noAPS deployed inside the firewall (e.g. FIG. 3). In step 905, possiblesetup messages are exchanged between the End-Terminals, the APSs, andthe Media Proxy Router, such as RQNT, NTFY, etc. In step 910, the MediaProxy Router transmits a CRCX message to End-Terminal A on a firstnetwork. In step 915, the End-Terminal A sends a CMPH message to theMedia Proxy Router, and the Media Proxy Router responds with a CMPH ACKmessage in step 920. In step 925, the End-Terminal A responds with aCRCX ACK message to the Media Proxy Router.

In step 930, the Media Proxy Router sends a CRCX message to theEnd-Terminal B on a second network. End-Terminal B responds with a CMPHmessage to the Media Proxy Router in step 935. In step 940, the MediaProxy Router responds to the End-Terminal B with a CMPH ACK message. TheEnd-Terminal B then sends a CRCX ACK message to the Media Proxy Routerin step 945. In step 950, the Media Proxy Router transmits a MDCXmessage to End-Terminal A, and End-Terminal A responds to the MediaProxy Router with a MDCX ACK message in step 955. This establishes thepinholes in the firewalls on the two networks, so End-Terminal A andEnd-Terminal B can transmit RTP packets between each other in step 960.

FIG. 11 shows a Session Initiation Protocol (SIP) message flow forpenetrating firewalls with an APS deployed inside the firewalls. In step1005, End-Terminal A on a first network sends a SIP INVITE message toAPS 1, which then transmits a CMPH message to the Media Proxy Router instep 1010. In step 1015, the Media Proxy Router sends a CMPH ACK messageto the APS 1. The APS 1 then sends an INVITE message to the Media ProxyRouter in step 1020. The Media Proxy Router forwards the INVITE messageto APS 2 on a second network in step 1025, which in turn forwards theINVITE message to End-Terminal B, also on the second network, in step1030. In step 1035, the End-Terminal B transmits an 18 x message to theAPS 2. The APS 2 forwards the 18 x message to the Media Proxy Router instep 1040. In step 1045, the Media Proxy Router forwards the 18 xmessage to APS 1, and APS 1 sends the 18x message to End-Terminal A instep 1050.

In step 1055, End-Terminal B transmits a 200 OK message to APS 2. TheAPS 2 transmits a CMPH message to the Media Proxy Router in step 1060.In step 1065, the Media Proxy Router responds to APS 2 with a CMPH ACKmessage. In step 1070, APS 2 transmits a 200 OK message to the MediaProxy Router. The Media Proxy Router forwards the 200 OK message to theAPS 1 in step 1075, and APS 1 forwards the 200 OK message toEnd-Terminal A in step 1080. The End-Terminal A responds by generatingand transmitting an ACK message in step 1090 to APS 1. In step 1095, APS1 forwards the ACK message to the Media Proxy Router, which in turnforwards the ACK message to APS 2 in step 1097. This completes creationof firewall pinholes, so that in step 1100 RTP media information packetsare transmitted between End-Terminal A and End-Terminal B.

FIG. 12 shows the Session Initiation Protocol (SIP) message flow forpenetrating firewalls with no APS deployed inside the firewalls. TheEnd-Terminal A transmits an INVITE message to the Media Proxy Router instep 1105. In step 1110, End-Terminal A transmits a CMPH message to theMedia Proxy Router, and the Media Proxy Router responds with a CMPH ACKmessage in step 1115 to End-Terminal A. In step 1120, the Media ProxyRouter transmits an INVITE message to End-Terminal B. In step 1125,End-Terminal B transmits an 18x message to the Media Proxy Router. TheMedia Proxy Router in step 1130 forwards the 18 x message toEnd-Terminal A. In step 1135, End-Terminal B transmits a CMPH message tothe Media Proxy Router, and the Media Proxy Router responds with a CMPHACK message in step 1140 to End-Terminal B.

In step 1145, End-Terminal B transmits a 200 OK message to the MediaProxy Router, which forwards the 200 OK message to End-Terminal A instep 1150. In step 1155, the Media Proxy Router transmits an ACK messageto End-Terminal B, and in step 1160, End-Terminal A transmits an ACKmessage to the Media Proxy Router. This completes creation of firewallpinholes, so that in step 1165 RTP media information packets aretransmitted between End-Terminal A and End-Terminal B.

FIG. 13 shows the H.248 (MEGACO) message flow for penetrating firewallswith an APS deployed inside the firewalls. In step 1205, possible setupmessages such as Notify Request, Notify, etc. are transmitted betweenthe End-Terminals and the Media Proxy Router. In step 1210, the MediaProxy Router transmits an ADD message to APS 1 on the first network, andin step 1215, APS 1 forwards the ADD message to End-Terminal A. In step1220, End-Terminal A responds with an ADD ACK message to APS 1. The APS1 transmits a CMPH message to the Media Proxy Router in step 1225. TheMedia Proxy Router then responds with a CMPH ACK message to APS 1 instep 1230. In step 1235, APS 1 transmits an ADD ACK to the Media ProxyRouter.

In step 1240, the Media Proxy Router transmits an ADD message to APS 2,and in step 1245, APS 2 forwards the ADD message to the End-Terminal B.In step 1250, an ADD ACK message is transmitted from End-Terminal B toAPS 2. In step 1255, APS 2 transmits a CMPH message to the Media ProxyRouter, and the Media Proxy Router responds with a CMPH ACK message toAPS 2 in step 1260. In step 1265, APS 2 transmits an ADD ACK message tothe Media Proxy Router.

In step 1270, the Media Proxy Router transmits a MODIFY message to APS1, and APS 1 forward the MODIFY message to End-Terminal A in step 1275.In step 1280, the End-Terminal A responds with a MODIFY ACK message toAPS 1, and in step 1285, APS 1 forwards the MODIFY ACK message to theMedia Proxy Router. This completes creation of firewall pinholes, sothat in step 1290 RTP media information packets are transmitted betweenEnd-Terminal A and End-Terminal B.

FIG. 14 shows H.248 (MEGACO) message flow for penetrating firewalls withno APS deployed inside the firewalls. In step 1305, possible setupmessages such as Notify Request, Notify, etc. are transmitted betweenthe End-Terminals and the Media Proxy Router. The Media Proxy Routertransmits an ADD message to End-Terminal A in a first network in step1310. In step 1315, End-Terminal A transmits a CPMH message to the MediaProxy Router. In step 1320, the Media Proxy Router transmits a CMPH ACKmessage to End-Terminal A, and in step 1325, the End-Terminal A respondswith an ADD ACK message back to the Media Proxy Router.

In step 1330, the Media Proxy Router transmits an ADD message toEnd-Terminal B in a second network. In step 1335, End-Terminal Bresponds by transmitting a CMPH message to the Media Proxy Router. Instep 1340, the Media Proxy Router responds with a CMPH ACK message toEnd-Terminal B. In step 1345, End-Terminal B responds with an ADD ACKmessage to the Media Proxy Router. In step 1350, the Media Proxy Routertransmits a MODIFY message to End-Terminal A. End-Terminal B thenresponds with a MODIFY ACK to the Media Proxy Router in step 1355. Thiscompletes creation of firewall pinholes, so that in step 1360 RTP mediainformation packets are transmitted between End-Terminal A andEnd-Terminal B.

FIGS. 15 and 16 show the H.323 message flow for penetrating firewalls.The call flows in both FIGS. 15 and 16 assume local ring back. Ring backinvolves more messages in the call flows. However, the principle for RTPpackets to penetrate firewalls through pinholes remains the same.

In FIG. 15, the message flow for H.323 for penetrating firewalls with anAPS deployed inside the firewalls is shown. In step 1402, variouspossible messages are exchanged between the Media Proxy Router and thetwo End-Terminals. In step 1404, a setup message is transmitted fromEnd-Terminal A to APS 1 on a first network. The APS 1 forwards the setupmessage to the Media Proxy Router in step 1406. In step 1408, the MediaProxy Router forwards the setup message to APS 2 on a second network. Instep 1410, APS 2 forwards the setup message to the End-Terminal B alsoon the second network.

In step 1412, the Proxy Media Router transmits a call proceeding messageto APS 1. In step 1414, APS 1 forwards a call proceeding message toEnd-Terminal A. In step 1416, End-Terminal B transmits a call proceedingmessage to APS 2, and APS 2 forwards the call proceeding message to theProxy Media Router in step 1418. In step 1420, End-Terminal B transmitsan alerting message to APS 2. In step 1422, APS 2 forwards the alertingmessage to the Media Proxy Router. The Media Proxy Router forwards thealerting message to APS 1 in step 1424, and the APS 1 forwards thealerting message to End-Terminal A in step 1426.

In step 1428, End-Terminal A transmits a H.245 TCS message to APS 1. TheAPS 1 forwards the H.245 TCS message to the Proxy Media Router in step1430. In step 1432, the Media Proxy Router forwards the H.245 TCSmessage to APS 2, which in turn forwards the H.245 TCS message toEnd-Terminal B in step 1434. In step 1436, End-Terminal B responds tothe H.245 TSC message with a TSC ACK message transmitted to APS 2. Instep 1438, APS 2 forwards the TCS ACK message to the Media Proxy Router.The Media Proxy Router forwards the TCS ACK message to APS 1 in step1440, and in step 1442, APS 1 forwards the TCS ACK message toEnd-Terminal A.

In step 1444, End-Terminal A transmits a H.245 Open Logic Channel (OLC)message to APS 1. In step 1446, APS 1 transmits a CMPH message to theMedia Proxy Router, and the Media Proxy Router responds with a CMPH ACKmessage in step 1448. In step 1450, APS 1 transmits a H.245 OLC tomessage the Media Proxy Router. In step 1452, the Media Proxy Routerforwards the H.245 OLC message to APS 2, and APS 2 forwards the H.245OLC message to End-Terminal B in step 1454. In step 1456, End-Terminal Bresponds with an Open Logic Channel Acknowledge (OLC ACK) messagetransmitted to APS 2. APS 2 in turn transmits a CMPH message to theMedia Proxy Router in step 1458. In step 1460, the Media Proxy Routertransmits a CMPH ACK message to APS 2. In step 1462, APS 2 responds withan OLC ACK message sent to the Media Proxy Router. The Media ProxyRouter forwards the OLC ACK message to APS 1 in step 1464, and in step1466, APS 1 forwards the OLC ACK message to End-Terminal A. Thiscompletes creation of firewall pinholes, so that in step 1468 RTP mediainformation packets are transmitted between End-Terminal A andEnd-Terminal B.

FIG. 16 shows the H.323 message flow for penetrating firewalls with noAPS deployed inside the firewalls. In step 1502, various possiblemessages are exchanged between the Media Proxy Router and twoEnd-Terminals. In step 1504, a setup message is transmitted fromEnd-Terminal A on a first network to the Media Proxy Router. The MediaProxy Router forwards the setup message to End-Terminal B on a secondnetwork in step 1506. In step 1508, the Media Proxy Router transmits acall proceeding message to End-Terminal A. In step 1510, End-Terminal Btransmits a call proceeding message to the Proxy Media Router. In step1512, End-Terminal B transmits an alerting message to the Media ProxyRouter. In step 1514, the Media Proxy Router transmits an alertingmessage to End-Terminal A. In step 1516, the End-Terminal A transmits aH.245 TCS message to the Media Proxy Router. In step 1518, the MediaProxy Router forwards the H.245 Terminal Capability Set (TCS) message toEnd-Terminal B, and in step 1520, End-Terminal B responds with aTerminal Capability Set Acknowledge (TCS ACK) message to the Media ProxyRouter. In step 1522, the Media Proxy Router forwards the TCS ACKmessage to End-Terminal A.

In step 1524, End-Terminal A transmits a CMPH message to the Media ProxyRouter, and in step 1526, the Media Proxy Router responds with a CMPHACK message transmitted to End-Terminal A. The End-Terminal A transmitsa H.245 OLC message to the Media Proxy Router in step 1528. In step1530, the Media Proxy Router forwards the H.245 OLC message toEnd-Terminal B. In step 1532, End-Terminal B transmits a CMPH message tothe Media Proxy Router, which responds with a CMPH ACK message back toEnd-Terminal B in step 1534. In step 1536, End-Terminal B transmits anOLC ACK message to the Media Proxy Router, which forwards the OCL ACKmessage to End-Terminal A in step 1538. This completes creation offirewall pinholes, so that in step 1540 RTP media information packetsare transmitted between End-Terminal A and End-Terminal B.

While the invention has been particularly shown and described withrespect to preferred embodiments, it will be readily understood thatminor changes in the details of the invention may be made withoutdeparting from the spirit of the invention.

It will be appreciated by persons skilled in the art that the presentinvention is not limited to what has been particularly shown anddescribed herein above. In addition, unless mention was made above tothe contrary, it should be noted that all of the accompanying drawingsare not to scale. A variety of modifications and variations are possiblein light of the above teachings without departing from the scope andspirit of the invention, which is limited only by the following claims.

What is claimed is:
 1. A system for enabling packet communicationbetween a first communication device inside a firewall and a secondcommunication device outside the firewall, the system comprising a mediaproxy router connected to the firewall outside the firewall, the mediaproxy router being associated with a soft switch and being configuredto: receive information contained in signaling sent to the media proxyrouter or to the soft switch via a signaling pinhole in the firewall,the information identifying a port at which the first communicationdevice will listen for media traffic; receive a packet sent to the mediaproxy router via a media pinhole in the firewall, the packet identifyingthe port at which the first communication device will listen for mediatraffic and identifying the media pinhole; assign a port of the mediaproxy router at which the media proxy router will listen for mediatraffic destined for the first communication device; and record anassociation between the assigned port and the media pinhole.
 2. Thesystem of claim 1, wherein: the first communication device has a trustrelationship with the media proxy router; and the signaling is sent tothe media proxy router.
 3. The system of claim 1, wherein: the firstcommunication device has a trust relationship with the soft switch; thesignaling is sent to the soft switch; and the soft switch communicatesto the media proxy router the information identifying a port at whichthe first communication device will listen for media traffic.
 4. Thesystem of claim 1, wherein one of the media proxy router and the softswitch sends signaling to the second communication device, the signalingidentifying the assigned port of the media proxy router at which themedia proxy router will listen for media traffic destined for the firstcommunication device.
 5. The system of claim 1, wherein the media proxyrouter is further configured to: receive media traffic destined for thefirst communication device on the assigned port; determine that themedia traffic destined for the first communication device can be sentthrough the media pinhole to the first communication device based on therecorded association; and send the media traffic through the mediapinhole to the first communication device.
 6. The system of claim 1,wherein the media proxy router comprises a routing table and is furtherconfigured to record the association between the assigned port and themedia pinhole in the routing table.
 7. The system of claim 1, wherein:the assigned port of the media proxy router is associated with anassigned port address; the media pinhole is associated with a mediapinhole address; the media proxy router is configured to record theassociation between the assigned port and the media pinhole by recordingan association between the assigned port address and the media pinholeaddress; and the media proxy router is adapted to send media trafficdestined for the first communication device through the media pinhole tothe first communication device by addressing the media traffic to themedia pinhole address.
 8. The system of claim 1, further comprising thesoft switch.
 9. The system of claim 8, wherein the soft switch and themedia proxy router are configured to cooperate: to receive signalingthrough the signaling pinhole, the signaling identifying a signalingport at which the first communication device will listen for signalingtraffic; and responsive to receiving the signaling, to record anassociation between the first communication device and the signalingpinhole.
 10. The system of claim 9, wherein the soft switch and themedia proxy router are further configured to cooperate to: receivesignaling for communication to the first communication device; determinethat the signaling for communication to the first communication devicecan be sent to the first communication device through the signalingpinhole based on the association between the first communication deviceand the signaling pinhole; and send the signaling through the signalingpinhole to the first communication device.
 11. The system of claim 9,wherein the signaling received through the signaling pinhole comprises aregistration request.
 12. The system of claim 8, wherein the media proxyrouter and the soft switch are co-located and communicate directly withone another.
 13. The system of claim 12, wherein the media proxy routerand the soft switch share a common housing.
 14. The system of claim 1,wherein the signaling comprises at least one Session Initiation Protocol(SIP) message.
 15. The system of claim 1, wherein the signalingcomprises at least one Media Gateway Control Protocol (MGCP) message.16. The system of claim 1, wherein the signaling comprises at least oneH.248 message.
 17. The system of claim 1, wherein the signalingcomprises at least one H.323/H.245 message.
 18. The system of claim 1,wherein the media traffic comprises at least one of voice traffic, datatraffic, video traffic, wireless voice traffic, wireless data traffic,wireless video traffic and multimedia traffic.
 19. The system of claim1, wherein the media traffic comprises Real-time Transport Protocol(RTP) packets.
 20. The system of claim 1, wherein the signaling and themedia traffic comprise IP packets.